PROBLEM: A vulnerability exists in Solaris 2.x systems that allows a race condition to be exploited to gain root access. PLATFORM: Sun Solaris 2.x (SunOS 5.x) and Solaris 2.4x86 DAMAGE: Users logged into a system may gain unauthorized root privileges. SOLUTION: Use the workaround contained in this bulletin to modify the sticky bit on the /tmp directory. AVAILABILITY: See the workaround that is contained in this bulletin
VULNERABILITY Unprivileged users who are logged on to a system can use this ASSESSMENT: vulnerability to gain unauthorized root privileges. An exploit program for this vulnerability has been published publically. CIAC advises that the workaround described below be performed immediately.
Sun Microsystems has confirmed this vulnerability and is currently testing patches for this vulnerability. Patches from Sun Microsystems will be for Solaris 2.3, 2.4 and 2.4x86. Sun Microsystems expects to have patches available within about a week. This vulnerability has been fixed in the upcoming release of Solaris.
This vulnerability affects the Solaris 2.x (SunOS 5.x) systems. A vulnerability similar to this affected SunOS 4.1.x (Solaris 1.x) systems in the past. Therefore, CIAC recommends that these systems also be checked for the correct permissions. The remainder of this bulletin shows how to identify if this vulnerability exists on your system and additionally identifies commands to be used as a workaround to this vulnerability. Commands shown are for Solaris 2.x systems. Similar commands and configurations exist for SunOS 4.1.x users.
To determine if you are running tmpfs, the following command can be used to verify if the filesystem for /tmp is swap:
$ /usr/sbin/df -k /tmp Filesystem kbytes used avail capacity Mounted on swap 158728 28 158700 0% /tmpor look in the file /etc/vfstab for the configuration line:
#device device mount FS fsck mount mount #to mount to fsck point type pass at boot options # swap - /tmp tmpfs - yes -If either of these two conditions exist, then you are running tmpfs and the system may automatically reset the permissions bits of /tmp at the next reboot.
To verify if your configuration is vulnerable, the following command may be used:
$ ls -ld /tmp drwxrwxrwt 5 root root 306 Aug 16 11:12 /tmp ^ ^ (Sticky bit is set -- system not currently vulnerable) $ ls -ld /tmp drwxrwxrwx 5 root root 306 Aug 16 11:12 /tmp ^ ^ (Sticky bit is not set -- system is vulnerable)If the sticky bit (t) is not set, then the system is vulnerable.
The immediate workaround is to set the sticky bit on the /tmp directory using the following command as root:
# /usr/bin/chmod 1777 /tmpNote that this command must be performed after each reboot if you are mounting swap as /tmp (using tmpfs).
In addition, the ownership and group membership of the /tmp directory should be verified using ls -ld /tmp and if incorrect may be reset by issuing the following commands:
# /usr/bin/chown root /tmp # /usr/bin/chgrp root /tmp
It is possible to perform these commands automatically at reboot by creating the following script as /etc/init.d/tmpfsfix:
-------------------------8<--- cut here ---8<-------------------------------- #!/bin/sh if [ -d /tmp ] then /usr/bin/chmod 1777 /tmp /usr/bin/chgrp root /tmp /usr/bin/chown root /tmp fi # # end of script tmpfsfix -------------------------8<--- cut here ---8<--------------------------------A symbolic link should be then be created called /etc/rc3.d/S79tmpfix which points to /etc/init.d/tmpfsfix by issuing the following command as root:
# /usr/bin/ln -s /etc/init.d/tmpfsfix /etc/rc3.d/S79tmpfix
The /var/tmp directory should be similarly checked and corrected. Note that this directory is not usually mounted as tmpfs, and therefore is not subject to automatic resetting of its permission bits on reboot.
% ls -ld /var/tmp drwxrwxrwt 2 root 512 Aug 15 11:35 /var/tmp
Voice: +1 866-941-2472 (7 x 24) E-mail: firstname.lastname@example.org World Wide Web: http://www.doecirc.energy.gov/